Hey all - I’m in the process of designing a feature that will allow for client-side encryption of secrets within a Pulumi stack’s state file, which is managed by the service. If you’re interested in client-side encryption of secrets, I’d really appreciate it if you checked it out and left comments, especially comments about whether or not the proposed scheme is sufficient for you and/or if you are happy with it: https://github.com/pulumi/pulumi/issues/1867#issuecomment-424102794